<p>By default S3 buckets are private, it means that only the bucket owner can access it.</p>
<p>This access control can be relaxed with ACLs or policies.</p>
<p>To prevent permissive policies or ACLs to be set on a S3 bucket the following booleans settings can be enabled:</p>
<ul>
  <li> <code>blockPublicAcls</code>: to block or not public ACLs to be set to the S3 bucket. </li>
  <li> <code>ignorePublicAcls</code>: to consider or not existing public ACLs set to the S3 bucket. </li>
  <li> <code>blockPublicPolicy</code>: to block or not public policies to be set to the S3 bucket. </li>
  <li> <code>restrictPublicBuckets</code>: to restrict or not the access to the S3 endpoints of public policies to the principals within the bucket
  owner account. </li>
</ul>
<p>The other attribute <code>BlockPublicAccess.BLOCK_ACLS</code> only turns on <code>blockPublicAcls</code> and <code>ignorePublicAcls</code>. The
public policies can still affect the S3 bucket.</p>
<p>However, all of those options can be enabled by setting the <code>blockPublicAccess</code> property of the S3 bucket to
<code>BlockPublicAccess.BLOCK_ALL</code>.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> The S3 bucket stores sensitive data. </li>
  <li> The S3 bucket is not used to store static resources of websites (images, css …​). </li>
  <li> Many users have the permission to set ACL or policy to the S3 bucket. </li>
  <li> These settings are not already enforced to true at the account level. </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>It’s recommended to configure:</p>
<ul>
  <li> <code>blockPublicAcls</code> to <code>True</code> to block new attempts to set public ACLs. </li>
  <li> <code>ignorePublicAcls</code> to <code>True</code> to block existing public ACLs. </li>
  <li> <code>blockPublicPolicy</code> to <code>True</code> to block new attempts to set public policies. </li>
  <li> <code>restrictPublicBuckets</code> to <code>True</code> to restrict existing public policies. </li>
</ul>
<h2>Sensitive Code Example</h2>
<p>By default, when not set, the <code>blockPublicAccess</code> is fully deactivated (nothing is blocked):</p>
<pre>
const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    bucketName: 'bucket'
}); // Sensitive
</pre>
<p>This <code>block_public_access</code> allows public ACL to be set:</p>
<pre>
const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    bucketName: 'bucket',
    blockPublicAccess: new s3.BlockPublicAccess({
        blockPublicAcls         : false, // Sensitive
        blockPublicPolicy       : true,
        ignorePublicAcls        : true,
        restrictPublicBuckets   : true
    })
});
</pre>
<p>The attribute <code>BLOCK_ACLS</code> only blocks and ignores public ACLs:</p>
<pre>
const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    bucketName: 'bucket',
    blockPublicAccess: s3.BlockPublicAccess.BLOCK_ACLS // Sensitive
});
</pre>
<h2>Compliant Solution</h2>
<p>This <code>blockPublicAccess</code> blocks public ACLs and policies, ignores existing public ACLs and restricts existing public policies:</p>
<pre>
const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    bucketName: 'bucket',
    blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL
});
</pre>
<p>A similar configuration to the one above can be obtained by setting all parameters of the <code>blockPublicAccess</code></p>
<pre>
const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    bucketName: 'bucket',
    blockPublicAccess: new s3.BlockPublicAccess({
        blockPublicAcls         : true,
        blockPublicPolicy       : true,
        ignorePublicAcls        : true,
        restrictPublicBuckets   : true
    })
});
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html">AWS Documentation</a> - Blocking public
  access to your Amazon S3 storage </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/284">CWE-284 - Improper Access Control</a> </li>
  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222620">Application Security and
  Development: V-222620</a> - Application web servers must be on a separate network segment from the application and database servers. </li>
  <li> <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BlockPublicAccess.html">AWS CDK version 2</a> - BlockPublicAccess </li>
</ul>
